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Alice communicates with words drawn uniformly amongst {b)}j=i..n , the canonical orthonormal 
basis. Sometimes however Alice interleaves quantum decoys {-Li^ill^} between her messages. Such 
pairwise superpositions of possible words cannot be distinguished from the message words. Thus as 
malevolent Eve observes the quantum channel, she runs the risk of damaging the superpositions (by 
causing a collapse). At the receiving end honest Bob, whom we assume is warned of the quantum 
decoys' distribution, checks upon their integrity with a measurement. The present work establishes, 
in the case of individual attacks, the tradeoff between Eve's information gain (her chances, if a 
message word was sent, of guessing which) and the disturbance she induces (Bob's chances, if a 
quantum decoy was sent, to detect tampering). Whilst not directly applicable to secure channel 
protocols, quantum decoys seem a powerful primitive for constructing other n-dimensional quantum 
cryptographic applications. Moreover the methods employed in this article should be of strong 
interest to anyone concerned with the old but fundamental problem of how much information may 
be gained about a system, versus how much this will disturb the system, in quantum mechanics. 
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MOTIVATION AND CLAIM 



The key principle of quantum cryptography could be 
summarized as follows. Honest parties play using quan- 
tum states. To the eavesdropper these states are ran- 
dom and non-orthogonal. In order to gather informa- 
tion she must measure them, but this may cause irre- 
versible damage. Honest parties seek to detect her mis- 
chief by checking whether certain quantum states are left 
intact. The tradeoff between the eavesdropper's informa- 
tion gain (about an ensemble of quantum states), and the 
disturbance she necessarily induces (upon this ensemble), 
can thus be viewed as the power engine behind quantum 
cryptographic protocols. 

Yet while numerous protocol-specific proofs of security 
have been given. Information Gain versus Disturbance 
tradeoffs themselves have remained stubbornly difhcult 
to quantify. The problem was first taken over by Fuchs 
and PeresjllJ, who tackled the seemingly simple case 
of the two non-orthogonal equiprobable states ensemble 
{(l/2,|V'o)(V'o|),(l/2,|V'i>(^i|)}- A geometrical deriva- 
tion of their result can be found in ^ . For discrete dis- 
tributions this is just about the only result available. Of 
lesser interest for cryptography, but very important in 
terms of its methods is the work by Banaszek|^, who 
quantified the tradeoff for the continuous uniform n- 
dimensional ensemble. BarnumQ makes several accurate 
qualitative remarks upon the same ensemble, suggesting 
the tradeoff remains unchanged for a uniform distribu- 
tion over mutually unbiased states. 

In the present work we quantify the disturbance in- 



duced upon the uniform ensemble of n-dimensional states 
{{l/n^ , Pjk\, where j and k range from 1 to n, and pjk 
stands for the density matrix of pairwise superpositions 
(|j)+»|fc)K(j| (j^Q^^g iliox when j = k this is simply the 
basis state When making use of non-orthogonal 

states this is no doubt a natural distribution to consider, 
and thus an important building block for n-dimcnsional 
cryptographic protocols. Its 7r/2 phase renders this 'pair- 
ing ensemble' undistinguishable from the canonical en- 
semble {(1/n, |j)(j|)}, for they both have density ma- 
trix Id/n (the maximally mixed state). This feature 
enables the honest parties to hide the pairwise super- 
positions within classical messages as means of securing 
those, i.e. to use the superpositions as 'quantum decoys'. 
In such situations the eavesdropper seeks to gather in- 
formation about the classical messages, not the decoys. 
Therefore we quantify her information gain with respect 
to the canonical ensemble {(l/n, \j) (j|)}, as suits the fol- 
lowing scenario best: 

Scenario 1 (Quantum decoys) Consider a quantum 
channel for transmitting n-dimensional systems hav- 
ing canonical orthonormal basis Suppose Alice's 
message words are drawn from the canonical ensem- 
ble {(1/n, \j){j\)}j=i...n, whilst her quantum decoys are 
drawn from the pairing ensemble {{^/n^ , Pjk}j,k=i...n, 
with Pjk = _ Alice sends Bob, over the 
quantum channel, either a message word or a decoy. Sup- 
pose that Bob, whenever a quantum decoy pjk gets sent, 
measures 

rp _ f \.i)+i\k) ^f {j\-i{k\ . 



V2 



V2 



Pi 



tamper 



■ I Pintact^ 

(1) 



* Electronic address: |pja35@cam.ac. Tiki 



SO as to check for tampering. Suppose Eve is eavesdrop 
ping the quantum channel, and has an interest in deter 
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mining Alice 's message words. 



With 



Results on cryptographic protocols involving discrete dis- 
tributions in n-dimensional quantum systems (where n is 
left to vary), remain relatively scarce to this day 0,0- 
0,^^ and tend to focus on mutually unbiased states. 
We hope our main result will prove a useful contribution 
to this difficult line of research: 

Claim 1 (Statement of security) Referring to Sce- 
nario 1, suppose Eve performs an individual attack such 
that, whenever a message word gets sent, she is able to 
identify which with probability G (mean estimation fi- 
delity). 

Then, whenever a quantum decoy gets sent, the probabil- 
ity D (induced disturbance) of Bob detecting the tamper- 
ing is bounded below under the following tight inequality: 



D>\-U^+^{n^l){l-G) 
A In \ 
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For optimal attacks G varies from ^ to 1 as D varies 
from to i — J-. 

The reminder of this paper is dedicated to proving the 
above statement. The method is just as important as 
the result, since it seems applicable to several similar 
problems in quantum cryptography. 

In section^]we provide the necessary mathematical re- 
sults required to prove Claim^ We recall, in particular, 
a key inequality regarding scalar products of vectors (first 
obtained in |^), as well as some powerful formulae arising 
from the state-operator correspondence (first obtained in 
0). Section llTTl exploits the latter formula to express the 
probability of Bob not detecting the tampering (induced 
fidelity) as a linear functional upon the positive matrix 
corresponding to Eve's attack. This brings about crucial 
simplifications, finally placing us in a position to apply 
the inequality. We do so in Section IIVI and prove our 
claim. 



II. MATHEMATICAL METHODS 

Notations. We denote by Af(j(C) the set oi d x d 
matrices of complex numbers, and by Hermj'(C) its 
subset of positive matrices, also referred to as the (non- 
normalized) states of a d-dimensional quantum system. 
In this section we let {\i)} and be orthonornial 

bases of C™ and C" respectively, which we will refer to 
as canonical. 

The following result is a minor generalization of some 
steps by Banaszek ^ . 

Proposition 1 (Inequality) Consider a vector of com- 
plex numbers v — {ajr)jr together with a function j : 
N — > N. We then have: 

f <{V9+Virn-l)in-g)y 



m — 1 



r j=0 



And subject to 
Proof. Further let 
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{ajr)r with r such that 7^ J 



and notice that g 
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Cauchy-Schwartz inequality yields: 



Vi-V* < \\Vi 



/<(Eii^^-ii)' 
/<(V^+EIK-I 
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The quadratic/arithmetic mean inequality yields: 

^ 771 — 1 



m - 



j=0 
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Combining Inequalities lO and Q yields the lemma. □ 
Next we remind the reader of an isomorphism from 
quantum states to quantum operations, which in quan- 
tum information theory dates back to the work of Jami- 
olkowski 10 and Choi 10] . The correspondence was 
subsequently reviewed and taken further in j^, where 
Proposition|21appears. First we relate vectors of C^igfC" 
to endomorphisms from C" to C™. 

Isomorphism 1 The following linear map 

" : C" (8) C" ^ £;nd(C" ^ C") 

A^A 
E^,,|z)b-)^EA,,K)(j| 

ij ij 

where i = 1, . . . , m and j — I, ... ,n, is an isomorphism 
taking mn vectors A into m x n matrices A. 

Second we relate elements of Mmn(C) to linear maps from 
M„(C) to Af„(C). 
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Isomorphism 2 The following linear map: 

: C"" (g) (C"")^ — > End{Mn{C} ^ Mm{C)) 
$ I — >^:p^ %{p)] 
such that AB^ i — > [p ApB^^] i.e. 



ijkl 

where i, k 
phism. 



kl 



^)\J){m\^[p^Y.^^^Bll\')^^\p\^)^^\ 

ijkl 



1, . . . , m and j,l = 1, . 



, n, IS an isomor- 



Definition 1 A linear map ft : Af,„(C) M„(C) is 
Completely Positive-preserving if and only if for all r 
and for all p in Herm^j.{'C) , ($7 (g) Idr){p) belongs to 
Herm'^^{C) . 

Completely Positive-preserving linear maps from quan- 
tum states in Herm^ (C) to quantum states in Herm^ (C) 
are exactly those which are physically allowable. They 
correspond, via Isomorphism El to quantum states in 
Herm+„(C): 

Theorem 1 ^3 I'he linear operation $ : M„(C) 
Mjn{C) is Completely Positive-preserving if and only if 
$ belongs to Herm'^^^{<C) . 

Definition 2 A linear map $ : Af„(C) Af„i(C) is 
Trace-preserving if and only if for all p in M„(C), 
Tr{%{p)) = Trip). 

Completely Positive-preserving linear maps having unit 
probability of occurrence on every input quantum state 
are exactly those which are Trace-preserving. They 
correspond, via Isomorphism |21 to quantum states in 
Herm^„(C) verifying 



Tri($) =/d„. 



(5) 



Proposition 2 (State-operator formulae) Q Let $ 

a linear map from M„(C) to Afm(C), a, p two elements 
of Mn{C), K, T two elements o/Afj„(C). Then we have: 



K$(pcr)T = 2r2((K® p* 



where Tr2 denotes the partial trace over the second system 
C" in C™ (g) C". In particular this implies that for all 
p e A'f„(C) and k G Af„(C), 

Tr{K%{p)) = Tr((K(g)p*)$). 

As with many quantum cryptographic problems our anal- 
ysis will require a careful optimization of the fidelity in- 
duced by a quantum operation $. By means of the above 
formulae we shall be able to write the induced fidelity 
as a linear functional upon $. This step is crucial to the 
next section (Lemma OJ. 



III. PRELIMINARY CALCULATIONS 
A. Information Gain 

There exists several well-motivated methods with 
which to quantify Eve's information gain. The one we 
shall adopt focuses on her ability to make a guess after 
the measurement. Compared with Shannon's mutual en- 
tropy this measure is advantageously close in nature to 
the notion of disturbance. 

Definition 3 (Mean estimation fidelity) The mean 
estimation fidelity of a generalized measurement {Ar} 
with guesses {IV'r)} w.r.t to an ensemble {{pi,\<t>i){(f'i\)} 
is defined by: 

r,i 

= J2p^{<I^MlAr\^^)Tr{\ct>^){^^\^Pr){A\) 

The mean estimation fidelity is to be understood as the 
average fidelity between the measurer's guess knowing 
outcome r occurred (the |'0r)'s) and the i*'' state which 
was indeed originally sent to him (the |(/)i)'s). 
Notice it is justified to consider that Eve's preferred at- 
tack is a generalized measurement. In general she could 
perform a quantum operation, which leaves her the possi- 
bility to regroup several measurement outcomes into one 
likelier outcome. But there is no information to be gained 
by ignoring the break-up of the likelier measurement out- 
come. In fact this would simply force some of the |'(/'r)'s 
to be equal: the induced disturbance can only be made 
worse. 

In our scenario Eve gathers information about the canon- 
ical ensemble {{1/n, |i)(j|)}j=i..n, for which one obtains 

r 

Clearly Eve's optimal guess knowing outcome r occurred 
is such that (j(r)|lj;ir|j(r)) = maxj(j|it4r|j). 
As a consequence 

r 
r 

= ^J2^T{ld®\j^r)){j(r)\ArAl) 

r 

where we applied Proposition |21 This yields: 

Lemma 1 (Estimation as a linear functional) Let 

$ = {Aj.} be a generalized measurements with best guess 
\j{r)), and $ = {Ar} its corresponding quantum state. 
Further let 



]Id(E)\j^r)){jir)\(^\r){r\ 
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With j(r) such that {j^r)\^lAr\j(r)) = maxj(j|Al;A,.|j). 
Then the mean estimation fidelity of $ with respect to the 
canonical ensemble is given by 



G = ^ rr(=6'(A,®|r))(A,®|r))t) 



(6) 



As we have seen the generalized measurement is equiv- 
alently described, using Isomorphism by {^r}, a set 
of non-zero non-normahzed n^-dimensional vectors. Fur- 
ther consider the larger vector v = (Ay>)y>, i.e. with r 
itself an index of the complex components. The trace- 
preserving condition upon the generalized measurement 
is easily seen to imply that should be equal to n. 

From Lemma ^ it is clear that when seeking an upper 
bound for G under this fixed norm constraint, we may 
assume v to take the form v — {Ajjr)jjr, because of the 
identity matrix on the first subsystem of As we shall 
explain in subsection IIII Bl this can be done at no cost 
for the mean induced fidelity. This way we reach the 
following Lemma: 

Lemma 2 (Information) Consider a generalized mea- 
surement {^4^}, '^^AlAr = Id, Ar diagonal for all r, 
acting upon an n-dimensional system. Then the mean 
estimation fidelity w.r.t the canonical ensemble verifies 



In our scenario Eve is tested on the pairing ensemble 
{(l/n2,p,,},,fe^i...„, with p,, = (b)+'l''>KO-|-»W) ^ 
which one obtains: 



for 



^P]k®P*jk \n){n\ + \j3){kk\ + i\ji){3k\ - i\jj){kj\ 
+ \kk){jj\ + \kk){kk\ + i\kk){jk\ - i\kk){kj\ 
- ^\jk){jj\ - i\jk){kk\ + \jk){jk\ - \3k){kj\ 
+ i\kj)(jj\+i\kj)(kk\ - \kj)(jk\ + \kj){kj\ 

P3k®p]k+ Pk3®pl, = + \kk)){{j]\ + {kk\) 

+ \{\jk)-\kj)){m^{kj\) 

jk 

-JZ{i\n) + \kkm3j\ + {kk\) + {\jk)~\k3)){{3k\-{kj\)) 
jk 

We now proceed to express Equation (jHJ in terms of pro- 
jectors. Regarding the subspace of repeated indices we 
observe that: 

E {\33) + \kk)){{jj\ + {kk\) = 2^ (bj>Oj| + \j3){kk\) 



jk 



jk 



G<-g 



with g = l^i{r) and such that j{,,)rP 
max^' 



B. Disturbance 

The notion of disturbance refers to Bob's chances of 
detecting Eve's alteration of the state originally sent. For 
this purpose Bob can, at best, project the received state 
upon the span of the original state. Thus the disturbance 
verifies D — 1 ~ F, where F is the induced fidelity. 

Definition 4 (Induced fidelity) The fidelity in- 
duced by a quantum operation $ upon an ensemble 
{{PiA<Pi){4'i\)} "is defined by: 

F = Ep,Tr(|0,)(0,|$(|0,)(</),|)) 



The induced fidelity is to be understood as the average fi- 
delity between the output of the quantum operation (the 

$(|0i)(0i|)'s) and its input (the \(j)i){(j)i\'s). A straightfor- 
ward application of Proposition |21 yields: (with * denot- 
ing componentwise complex conjugation as usual) 

F = Ep,Tr((|</.,)(0,|®|</.:)(0:i)$) (7) 



As regards the subspace of non-repeated indices the vec- 
tors \jk) — \kj) are already orthogonal to each other, so 
long as we maintain j < k. Combining our newly found 
spectral decomposition with Equation yields: 

Lemma 3 (Fidelity as a linear functional) Let $ be 

a quantum operation, and S its corresponding quantum 
state. 

Further let 



1 1 

2n 2n 



\jk)-\kj),Ajk\^{kj\^ 



j<k 



V2 
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V2 



onrep 



With Prep <»\j){j\ Pnonrep = Id-Prep 

3 

\P)^^Y.\^]) and Pp = \(3)m 



Then the fidelity induced by % upon the pairing ensemble 
is given by 



F = Tr{£ $). 



(9) 



Using Theorem^S is positive and may be thus be written 
$ = ArAl, with {Ar} a set of non-zero non-normalized 
n^-dimensional vectors. Further consider the larger vec- 
tor V = {Aijr)ijr- The trace-preserving condition upon 
$ is easily seen to imply, via by Equation jSJ, that 
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should be equal to n. From Lemma O it is clear that, 
when seeking an upper bound for F under this fixed norm 
constraint and if n > 2, we may assume v to lie in the 
subspace of projector Prep (X" Id. In other words v takes 
the form v = {Ajjr)jjr- As we have explained in sub- 
section IIII Al this can be done at no cost for the mean 
estimation fidelity. We then have, using Lemma |3| still: 



A* 



jkr 



This way we reach the following Lemma: 

Lemma 4 (Disturbance) Consider a generalized mea- 
surement {Ar}, X^r^r^'" ~ diagonal for all r, 
acting upon an n-dimensional system. Then the distur- 
bance induced upon the pairing ensemble verifies 



with / = Er 



D > 



:0 ^nr\ ■ 



2n- 



■f 



IV. OPTIMIZATION AND CONCLUSION 

We are now set to prove Claim ^ From Proposition 
we immediately have 



1 



1 



1 



1 



T;-^f>T;-:^{V9+ Vin l){n - g)y 



2n2 



Applying Lemma El and 01 yields 



D>-- —{v^+^nin-m-oy 



2n2 

which in turn is nothing but Inequality Q. A plot of 
the curve is shown in the Figure below. As was the case 
with the continuous uniform ensemblePl the generalized 
measurement family 



^\^){A + \f^{ld-\r){r\) 



saturates the tradeoff for any fixed G = l/n..l. This 
may come as no surprise since the corresponding vec- 
tors Ar verify 



Ar = \\rr)+^l[ 



G- 



1_G 

n- 1 



1_G 

n-V 



In other words these unit vectors {A^} can be thought 
of as superpositions of Eve's two extreme attacks: on 
the one hand A = 1 yields the projective measurement 
{|r)(r|} maximizing the mean estimation fidelity, whilst 
on the other hand /i = 1 yields the 'do nothing' mea- 
surement {/d} minimizing the disturbance. Viewed from 
the perspective of LcmmaOEve, as she seeks to be more 
conservative, increases her component in the subspace of 

The generalized measurement family 'measure {|?')(?'|} 
with probability p else leave it alone' does not saturate 
the tradeoff, but linear combinations of pure states cor- 
responding to measurement elements do. Stated in this 
simple manner, our result suggests the state-operator 
correspondence method developed in this paper could 
establish itself as a very natural procedure for deriving 
quantum cryptographic security bounds in general. 



Finally we wish to point out that cryptographic ap- 
plications of quantum decoys have recently been investi- 
gated. An asymmetric variant of secure computation, 
whereby Alice gets Bob to compute some well-known 
function f upon her input x, but wants to prevent Bob 
from learning anything about x, makes crucial use of the 
artefact for its security fjij. 
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